Router attack [Solved]

[netmaestro]

We have four computers in our network, two win7 and two XP. We are connected to the internet via broadband with a static IP (not PPOE). Recently all the workstations here began to experience unwanted redirects while surfing on the web. You'd type in an address and the page would take a long time loading and say 'waiting for http://www.google-analytics.com'. Your page would never load. Other times you'd get a box saying 'Message from webpage: Your computer contains virus activity. Press OK to start a free scan' and when you put that box down you were redirected to a page that appears to be busily scanning your system and already found three trojans.

Action taken:
Everyone is using MSSE, we all updated our signatures and ran full scans. Nothing. Problem persists.
Everyone used system restore to restore to a date a month before this happened. Problem persists.
Downloaded Stopzilla and ran a full scan on one computer. Nothing was found. Problem persists.

Took a look at the router and found that no firewall was up on it and that the admin password was empty. This is my fault because I let my son fiddle with it last year trying to get an online game of his working. I didn't bother to check it when he was done. Given the completeness of the infection and that normal virus removal steps were ineffective, I began to suspect that the router had caught a virus. I unplugged it from all connections, held its reset button down for 30 seconds and restored all settings to factory defaults. I then set it back up and configured it to use our broadband and... Problem persists.

I then reasoned that it HAS to be the router unless our ISP has the virus, which while possible, is unlikely. Perhaps someone found my unprotected router with no admin password on the internet and flashed it with virused firmware. So I unplugged the router from the internet box and plugged the internet box into my computer only. I had to input all the IP address, subnet mask, primary/secondary DNS, etc. and then it worked fine. So for the past hour a couple of us have been taking turns surfing all over everywhere trying to see if we get redirected and so far, nothing. It seems OK.

Question, would I be able to fix this router by flashing the firmware? It's four years old, maybe even five and a new one is 40 bucks. Would I be safer replacing it? Obviously I'm going to enable the firewall and use an admin password.

Or: Am I off track believing I've isolated it to the router? Is this a known virus that some other AV software can get rid of? The last thing I want to do is replace my router with a new one only to discover that the problem persists.

Any comments are much appreciated as I'm a bit out of my depth on this one. Thanks in advance

[Michael Vogel]

Would be interesting which type of router it is - standard "business" router from Cisco, 3Com etc. shouldn't have known problems with actual firmware versions, because security holes are fixed quite fast. Than anyone can only get into your router and do changes (UDP forwarding etc.) by knowing the admin password. Small "home" routers are often OEM products where no vendor spends much time to fix issues, some of these routers even have backdoors to get easy access to them.
However, a router normally won't install a virus on your PC, but using web sites doing a free virus scan will bring definitely a trojan horse on your PC

[blueznl]

Wow, indeed sounds like someone rewrote the firmware, that's impressive... and worrying. Appearently they thought it worth to go through all that effort, which means they would be intent on infecting many routers, which in turn means they'd expect to be able to do so, otherwise they would no go through all that effort.

Now that last part is the most worrying thing. If they are expecting to be able to do so, then I would assume they do not need a password or anything, and will be able to overwrite your router in spite of any protection being enabled or not... So updating the firmware *might* fix the problem, but there's no guarantee. (What brand and model is it by the way?)

Unfortunately, it appears all (A)DSL providers have a higher level of access than even the owner of the router. For example I have a Thomson ADSL router here, and I've noticed a few cases where the router was reset by a remote configuration update. Nothing I can see here on this side, mind you, but when I do a 'backup' and compare the dumped (unreadable hex) data, and compare it with a previous image there are changes.

Two times, after such an 'update' by my provider, my modem would not reconnect and it turned out some settings had changed. When confronting the ISP they confirmed they made some 'configuration changes on the network' but 'did not know if it would affect end users or not'.

Obviously, it did affect some users, at least me...

I fear you can only try and reflash it and see what happens. With some luck later firmware removed some of the backdoors, but that might not be the case. Read through the firmware description for any security related changes, that might provide a clue.

[TerryHough]

Hi net

Sounds like you have one of several variations of the "Windows Security 2000" scamware virus. You described exactly how they work.

Just fixed a system for a customer today with the same problem. I was able to download and install MalwareBytes using an already installed copy of Chrome on that system to remove it.

Unfortunately this virus also prevents several different anti-virus programs from actually running and/or updating themselves. And, it even prevents the installation program for some of the major anti-virus programs from running.

Fortunately you can kill it. It always contaminates Internet Explorer, so if possible use a clean system or another browser to download the MalwareBytes anti-virus program and save it on a flash drive or something but don't run it. Then with the system disconnected from the network, at the command prompt copy the mbam-setup.exe to the root directory and rename from mbam-setup.exe to mbam.com. Then run that from the command prompt and eventually run the installed scanner. Usually detects and removes two "Trojan" items (if the system was otherwise clean). Do that process on all machines before reconnecting to the network (I've seen it reinfect other systems on the LAN).

That should get you going. Good luck.

[dhouston]

@TerryHough

I think this was what my granddaughter had on her HP Pavilion running Vista last week. It was the nastiest thing I've seen in 25 years of PC use. She said the only thing she wanted to save was her photos so I copied those to an SD card, ran the HP recovery program (on a separate partition) which formatted the Windows partition and then reinstalled everything as it was when it left the factory. I installed Avira and scanned her photos before copying them back to the HDD, then configured Avira for a daily update/scan.

I was careful to keep it isolated from my network until after recovery, installing Avira from a USB drive and scanning the restored system before connecting to the network to update things from the internet.

It's good to know there's a way to remove it short of formatting and starting over.

[netmaestro]

The router in question is a D-Link DIR-625. The D-Link website let me download a firmware file for it but it identifies the product as being 'End-of-life' as of Sept. 1st 2010. I tried the Malwarebytes thing on one computer, following the directions carefully but it didn't find anything. I tried it on another computer and it would install but something was preventing it from running. I've updated the firmware in the router and reset it to factory default and disconnected all computers from it. Then I wiped off my C drive (I keep no data there anyway) and reinstalled Windows 7, then connected only this computer to the router. All seems well. Instructions to family members who want to connect to the internet via my router are going to be to wipe off their drives and do a clean install, install and run a good AV that shows a clean system and then they can reconnect. I'm just tired of messing with this virus, I wish I had the guy by the neck who wrote it

[netmaestro]

Ok, spoke too soon. The problem is back, on my fresh clean install. Now the router has to go, that's all I can think of!

[Joakim Christiansen]

I've updated the firmware in the router and reset it to factory default

Then the problem came back? Hmm, did you forgot to change its default password?
I remember once when I wrote a program to scan the internet for routers (port 23; telnet) and from time to time I found people using default passwords.

People actively scan the internet for all kinds of ports these days! I also used to scan for port 5900 (VNC) and I remember seeing that most of the (totally random) computers I found had already been hacked by others, that just demonstrates the craziness. I actually opened Notepad and chatted with another hacker once, good times...

[Michael Vogel]

I've updated the firmware in the router and reset it to factory default

Then the problem came back? Hmm, did you forgot to change its default password?
I remember once when I wrote a program to scan the internet for routers (port 23; telnet) and from time to time I found people using default passwords.

People actively scan the internet for all kinds of ports these days! I also used to scan for port 5900 (VNC) and I remember seeing that most of the (totally random) computers I found had already been hacked by others, that just demonstrates the craziness. I actually opened Notepad and chatted with another hacker once, good times...

As I said, especially home routers have some backdoor passwords, not sure if the D-Link really has both admin AND administer active as stated in the following list: Default Logins

If the actual situation is that horrible, I would seperate the PCs as much as possible, deactivate the internet connection and then only connect one single PC to the reseted router to see, if the router would really be the problem, next would be to establish the internet connection again and wait if the single PC gets infected (and all others stay clean).
Analyzing tools could also be helpful during the whole process, sniffering the traffic between the router and the PC.

Good luck,
Michael

[Thorium]

Then the problem came back? Hmm, did you forgot to change its default password?
I remember once when I wrote a program to scan the internet for routers (port 23; telnet) and from time to time I found people using default passwords.

Good routers dont allow config login from outside the LAN. Most routers even dont allow config login over WLAN.

If the user has running a software listening to a port thats another story but router config should not be accessible over WAN.

Unfortunately, it appears all (A)DSL providers have a higher level of access than even the owner of the router. For example I have a Thomson ADSL router here, and I've noticed a few cases where the router was reset by a remote configuration update. Nothing I can see here on this side, mind you, but when I do a 'backup' and compare the dumped (unreadable hex) data, and compare it with a previous image there are changes.

They dont have a higher level of access.
What you speak of is the auto config feature. That allows the router to configure itself with data provides by your provider.
There should be a option in the router config to deactivate it. On most routers it's activated by default.

[DarkDragon]

Most routers even dont allow config login over WLAN.

I've never seen a router which didn't allow it over WLAN.

[Thorium]

Most routers even dont allow config login over WLAN./quote]

I've never seen a router which didn't allow it over WLAN.

All the Telekom routers dosnt. It's even stated in the manual that you have to connect via cable to configure it.

[DarkDragon]

Most routers even dont allow config login over WLAN.

I've never seen a router which didn't allow it over WLAN.

All the Telekom routers dosnt. It's even stated in the manual that you have to connect via cable to configure it.

I have two telekom routers and both allow it. T-Sinus 111 and Speedport W700V. Even my repeater (Sitecom WL300) can be configured over WLAN.
Maybe you're speaking about the very first configuration. Well .. no SSID - no WLAN.

And btw.: we should clearly differ between router and nat-home-eggs-producing-pig-horse-boxes-without-real-name.

[TerryHough]

Ok, spoke too soon. The problem is back, on my fresh clean install. Now the router has to go, that's all I can think of!

I still think you are dealing with a version of the scamware based on "Windows Security 2000" that utilize several different names. Everything you discuss is a symptom of the ones I've seen.

More than once I've thought I had it cleared only to see it start again. Eventually I found a process being started that reinstalls the virus' activity. It apparently then changes its own name and sets the system to start it on the next boot. The process name I had started with "WEP" followed by a random set of 9 numbers. One one system I found 39 different files with similar nomenclature scattered throughout various folders including the desktop. I've seen several that just had random numeric file names started as processes.

One system had Internet Explorer so mucked up with this stuff that when the anti-virus program cleaned IE it would not run anymore. Reinstalling IE8 and its security updates cleared that up. Of course, I had to use something other than IE to download the IE8 update (I used SRWare Iron).

I'm just tired of messing with this virus, I wish I had the guy by the neck who wrote it

+1000 on that. It is a nasty thing to deal with.

[Thorium]

Most routers even dont allow config login over WLAN.

I've never seen a router which didn't allow it over WLAN.

All the Telekom routers dosnt. It's even stated in the manual that you have to connect via cable to configure it.

I have two telekom routers and both allow it. T-Sinus 111 and Speedport W700V. Even my repeater (Sitecom WL300) can be configured over WLAN.
Maybe you're speaking about the very first configuration. Well .. no SSID - no WLAN.

My Speedport W701V does not. If i try to connect via WLAN it does not respond. Maybe you can configure it to accept WLAN connections for config but on default mine does not and i know friends having different routers and saying it's the same for them.